Award-Winning Line of Web Content, DLP and Messaging Security Appliances to Go Virtual
WatchGuard Adds Content Security to Virtualization Platform
Monthly Archives: February 2012
WatchGuard Bolsters Small Business Security Lineup with Two New UTM Appliances
WatchGuard XTM 25 and XTM 26 Appliances Round-Out Small Business, Wireless Hotspot and Branch Office Offerings; Provide Full Suite of Protection Against Hackers, Malware and More
[ANNOUNCEMENT] Apache HTTP Server 2.4.1 Released
Apache HTTP Server 2.4.1 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the GA release of version 2.4.1 of the Apache HTTP
Server. This version of Apache HTTP Server is the first GA release of
the new 2.4.x branch.
Apache HTTP Server 2.4 provides a number of improvements and
enhancements over the 2.2 version. A listing and description of these
features is available via:
http://httpd.apache.org/docs/2.4/new_features_2_4.html
Please see the CHANGES_2.4 file, linked from the download page, for a
full list of changes.
We consider this release to be the best version of Apache HTTP Server
available, and encourage users of all prior versions to upgrade.
Apache HTTP Server 2.4.1 is available for download from:
http://httpd.apache.org/download.cgi
This release requires the Apache Portable Runtime (APR) version 1.4.x
and APR-Util version 1.4.x. The APR libraries must be upgraded for all
features of httpd to operate correctly.
This release builds on and extends the Apache 2.2 API. Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.4, and may require minimal source code changes.
http://httpd.apache.org/docs/2.4/developer/new_api_2_4.html
A summary of all of the security vulnerabilities addressed in this and
earlier releases is available:
http://httpd.apache.org/security/vulnerabilities_24.html
Important:
Windows users: AcceptFilter None has replaced Win32DisableAcceptEx
and the feature appears to have interoperability issues with mod_ssl.
Apache 2.4.1 may not yet be suitable for all Windows servers. There
is not yet a Windows binary distribution of httpd 2.4, but this is
expected to be remedied soon as various dependencies graduate from
beta to GA.
CVE-2012-0206 (authoritative_server)
common_startup.cc in PowerDNS (aka pdns) Authoritative Server before 2.9.22.5 and 3.x before 3.0.1 allows remote attackers to cause a denial of service (packet loop) via a crafted UDP DNS response.
CVE-2011-3025 (chrome)
Google Chrome before 17.0.963.56 does not properly parse H.264 data, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.
Oracle Java SE Critical Patch Update Advisory – February 2012
SA-CORE-2012-001 – Drupal core multiple vulnerabilities
- Advisory ID: DRUPAL-SA-CORE-2012-001
- Project: Drupal core
- Version: 6.x, 7.x
- Date: 2012-February-01
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities
Description
Cross Site Request Forgery vulnerability in Aggregator module
CVE: CVE-2012-0826
An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.
This issue affects Drupal 6.x and 7.x.
OpenID not verifying signed attributes in SREG and AX
CVE: CVE-2012-0825
A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users’ information.
This issue affects Drupal 6.x and 7.x.
Access bypass in File module
CVE: CVE-2012-0827
When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.
This issue affects Drupal 7.x only.
Versions affected
- Drupal 6.x core prior to 6.23.
- Drupal 7.x core prior to 7.11.
Solution
Install the latest version:
See also the Drupal core project page.
Reported by
- The Aggregator module CSRF vulnerability was reported by Dylan Tack of the Drupal Security Team.
- The OpenID vulnerability was reported by Rui Wang, Shuo Chen and Xiao Feng Wang.
- The File module access bypass issue was reported by David Rothstein of the Drupal Security Team, and by Sascha Grossenbacher.
Fixed by
- Aggregator CSRF issue fixed by Dave Reid of the Drupal Security Team
- OpenID issue fixed by Vojtech Kusy and Christian Schmidt
- The File module access bypass issue was fixed by David Rothstein of the Drupal Security Team, Sascha Grossenbacher, and Derek Wright of the Drupal Security Team.
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Drupal version: